stackoom
  简体   繁体   中英

Spring Security: 404 on logout

 原文  2014-04-20 20:15:08       java/ spring-mvc/ spring-security

Question

When I try to access the logout URL of my spring application, I get a 404 error and No mapping found for HTTP Request with URI [/logout] in DispatcherServlet with name 'mvc-dispatcher' in my server log.

I have already tried Call to j_spring_security_logout not working , Issue with Spring security's logout and pretty much all of the related results on SO.

I'm including the complete configuration files as the Spring xml structure isn't quite clear to me yet.

My security configuration:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <http pattern="/resources/**" security="none" />

    <http auto-config="true">
        <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="ROLE_USER" />
        <form-login login-page="/login" default-target-url="/"/>
        <logout logout-url="/logout" />
        <csrf />
    </http>

    <global-method-security secured-annotations="enabled" />

    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService" />
    </authentication-manager>

</beans:beans>

My web.xml is this:

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>XYZ</display-name>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/*-config.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

How do I make the logout page work?

4 answers

solution1
 63 ACCPTED  2014-04-21 15:40:46

If you are using logout with CSRF you must perform a POST. See http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout

solution2
 11  2016-03-23 03:39:04

I had the same problem after migrating from Spring 3.2 to 4 but I wanted to logout using a link on the view.

The Spring doco ( http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-include-csrf-token-form ) explains how to do it in the view.

I used this snippet in the JSP to do the logout:

<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<form:form action="${pageContext.request.contextPath}/logout" method="POST">
    <input type="submit" value="Logout" />
</form:form>

solution3
 2  2018-04-20 15:59:40

In order to solve this, it's usually required to convert a logout link into a POST form button with hidden CSRF token, which can be achieved by:

<a href="#" onclick="document.getElementById('logout-form').submit();"> Logout </a>

<form id="logout-form" action="<c:url value="/logout"/>" method="post">
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>

solution4
 2  2020-06-25 12:38:22

Try this, logout with HTTP.GET

WebSecurityConfigurerAdapter

// In HttpSecurity configure
...
.logout()
...
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", “GET”))
...
...

HTML

<a href="/logout">Logout</a>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security logout call Spring security cannot logout Spring Security Logout Spring security login and logout Logout is not working in Spring Security Redirect for logout Spring Security Spring logout gives 404 error Spring security logout goes to j_spring_security_logout Spring Security login/logout problems Spring Security logout and Maximum sessions
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM